MEPs back plans on cyber solidarity and managed security services

Aims to boost EU ability to detect and prepare for cyber threats

A new EU-wide network of National Cyber Hubs

Managed security services reform to allow for EU-wide certification schemes

The “Cyber Solidarity Act” aims to build a more resilient, collective EU response against cyber-threats.

The legislation adopted on Wednesday, already informally agreed upon with the Council, will bolster the European Union's ability to detect, prepare for, and respond to cybersecurity threats and incidents. The proposal's key objectives include strengthening EU-wide detection and situational awareness of cyber threats, enhancing preparedness and response capabilities for significant cybersecurity incidents, and fostering European technological sovereignty in cybersecurity.

These objectives will be primarily achieved through a pan-European network of National Cyber Hubs and by establishing a Cyber Emergency Mechanism and a European Cybersecurity Incident Review Mechanism.

During negotiations on the bill, MEPs advocated for sufficient funding for the EU Cybersecurity Reserve, which could play an important role in supporting Member States and EU institutions in dealing with large-scale cybersecurity incidents. They also pushed to ensure adequate support for the development of cybersecurity skills across the EU. This budget line will allow Cybersecurity competence centres to help Member States prepare against cyber threats.

Managed security services

A separate law on managed security services, also adopted on Wednesday, will introduce EU cybersecurity certification schemes for outsourced services that support an organization's cybersecurity risk management. The law comes in response to the increasing importance of managed security services in preventing and mitigating cybersecurity incidents. It seeks to prevent market fragmentation due to varying national certification schemes by establishing a unified European certification framework. The goal is to enhance trust in managed security services across the EU, supporting the overall cybersecurity posture and ensuring a high level of cybersecurity across Member States.

Quotes

Lead MEP on cyber solidarity Lina Gálvez Muñoz (S&D, ES) said: "This vote on the Cybersolidarity Act is a victory for our democracies in an increasingly digitised world. This regulation will protect our institutions and critical infrastructure by strengthening our capabilities to detect, prepare and respond to cyber threats and cyber attacks through cooperation between Member States."

"We are creating a cooperative tool to defend our citizenship, our democracies and our infrastructures. We have worked tirelessly in Parliament to ensure that this regulation aims at the coordinated development of cybersecurity capabilities and helps to close cybersecurity skills gaps" she added.

Lead MEP on managed security services, Josianne Cutajar (S&D, MT), said: "This vote paves the way for a democratic and transparent cybersecurity certification scheme for managed security services that avoids market fragmentation".

"The law recognises the importance of supporting SMEs in light of the implementation of the new act, such as through more financial and technical support, a clearer definition of managed security services, and acknowledging the challenges posed by the existing skills gap. By setting up this clear framework, we are increasing transparency in the process of the certification of the schemes, ensuring the participation of the European Parliament and strengthening security within the EU for the many, not just the few" she added.

Next steps

The Cyber Solidarity Act was adopted with 470 votes to 23, with 86 abstentions, while the legislation on managed security services was adopted with 530 votes to 5, with 53 abstentions. Both will now need the formal approval by Council in order to become law.

Background

A briefing from the European Parliament’s research service highlights that Russia's war against Ukraine has revealed the extent of our dependence on digital technology and the fragility of the digital space. It has triggered a surge in cyberattacks that have been particularly disruptive when targeting critical infrastructure – such as energy, health or finance – because of the increasing reliance on information technology, rendering this infrastructure all the more vulnerable. Against this backdrop, the Commission has proposed a regulation on a cyber solidarity act that would address the urgent need to strengthen solidarity and the EU’s capacity to detect, prepare for and respond to cybersecurity threats and incidents.